According to TechRadar, a security researcher has recently discovered a major vulnerability in Windows PCs involving Microsoft’s most basic text editor. The Notepad security flaw, as discovered by Google Project Zero security researcher Tavis Ormandy, could be exploited to let hackers take over whole computers “simply by loading some malicious code using Notepad.” And this particular flaw may affect PCs running versions of Windows as early as Windows XP.
The flaw itself, as TechRadar notes, involves taking advantage of a weakness in the Windows Text Services Framework. (This framework deals with things like text inputs, text processing, and keyboard layouts.) Within this framework is the source of the security flaw itself, a component known as CTextFramework. And as The Register reports, this component has its own security flaws that ultimately render it vulnerable to being hacked “via applications that interact with it to handle text on the screen.”
Furthermore, TechRadar notes that Ormandy’s investigation into the Notepad flaw essentially found that the system’s security protocols “can be easily bypassed” and could allow hackers to not only increase their access privileges but also “gain access to multiple systems across the victim’s device.” Ormandy’s blog post on the matter further described the extent of the CTextFramework vulnerability:
“Firstly, there is no access control whatsoever! Any application, any user – even sandboxed processes – can connect to any CTF session. Clients are expected to report their thread id, process id, and HWND, but there is no authentication involved and you can simply lie. Secondly, there is nothing stopping you pretending to be a CTF service and getting other applications – even privileged applications – to connect to you. Even when working as intended, CTF could allow escaping from sandboxes and escalating privileges.”
According to TechRadar and ZDNet, Microsoft has released a patch for this flaw, which is officially known as CVE-2019-1162. This patch was released on Tuesday, August 13, as part of Microsoft’s monthly release of security updates known as Patch Tuesday. ZDNet reports that the August 2019 edition of Patch Tuesday included patches for a total of 93 security flaws.